Security researchers released a tool this week that lets you collect social media profiles of a massive amount of people using face recognition. While that might sound like a terrible idea, the tool’s creators say it will help security professionals by giving them the same tools as the bad guys.
The tool, Social Mapper, is open-source and can gather someone’s information from LinkedIn, Facebook, Twitter, Instagram, Google+, and Chinese microblogging sites Weibo and Douban, and Russian social media service VKontakte.
Social Mapper was created by researchers at Trustwave, a security firm that developed the tool predominantly for penetration testing, or an authorized simulated attack intended to test a system’s security. The information gathered isn’t particularly invasive—an amateur internet sleuth can easily find someone’s social media profiles, especially if they have their name and their photo, which is what Social Mapper does—but on a slightly terrifying scale.
Social Mapper scans a large scale of individual profiles by performing face recognition checks on profile photos of the “target” based on top search results of their name. It’s not exactly quick—the researchers estimate it could take over 15 hours for lists of 1,000 people—but it’s an automated and efficient way to process a bounty of people’s social media profiles.
The program then generates a report consolidating all of the data, which includes links to the targets’ social media profiles. The researchers note in a blog post detailing the tool that it can also create lists for each of the social media sites checked with the name of the target as well as their possible work email.
The stated purpose of this tool is to streamline ethical hackers’ social media phishing campaigns—meaning, phishing campaigns they were paid to wage to test their clients’ security—by efficiently collecting and generating target lists. The researchers cite a few examples of what pen testers might be able to do with their tool, such as friending targets on social media with a fake profile and then sending them links to malware.
It’s not hard to imagine how such a tool, available to the public, might be exploited by bad actors, who could use it to more efficiently wage phishing and ransomware attacks. A Trustwave spokesperson shot down this criticism, saying that Social Mapper is intended for “pen testers and red teamers” whose responsibility is “to find vulnerabilities using tools and technologies Black Hats are already using or most likely have.”
In other words, tools like this already exist, but Trustwave is making it available to everyone, which “helps even the playing field,” the spokesperson said. Releasing tools like Social Mapper, they added is “very commonplace in the security industry and helps the good guys.”